locking an account to a computer

where i work, we are installing 2 computers in the canteen, so people can STRICTLY browse the web and use microsoft office. i've created a new OU and created a couple of accounts for these new computers so our proxy policy can be more strict on what users can access. I started to create the group policy when something hit me. the user could just log off the new account, and use their account and it will be just as open as before.

what im asking is, is there anyway i can lock these 2 new domain user accounts to ONLY these 2 computers?

i did think about disableing logging off, but if the computer needs some admin-ing, that would work

we are using Windows Server 2003 and Windows XP

there must be a way, surely.

hope someone can help/advise (and sorry the explanation started to sound like a story a bit

1. Create a Group Policy in the domain.
2. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
3. Edit "Allow log on locally" to contain the groups/users you want to be able to log on.
4 Close the GP, and apply it to an OU containing the computers you want to secure.

I was considering that as a possible solution, however i don't understand how that would restrict others from logging into the machine as you are not creating a deny list. My understanding is by setting the GPO setting its actually acting as an overide, denying authenticated user from loggin in and only allowing those in the list.

Does the "log onto" option do this same thing? If it does then that's awesome it will make this easier for myself to configure in the future as i have been using the GPO method.

I think the easiest way would be to create a Security Group that contained only the accounts that you do NOT want to be able to log into those PCs. This might be tricky as nested groups might end up including admin accounts,etc
Then you'd use the Deny Logon Local feature with that group.

i've done the bit with the ADUC accounts.
where im having problems is denying other accounts to log on.

here's what i've done.
in the User Rights Mangagement:
set Allow local logon - admin account
allow log on through TS - domain admins only

deny local logon - domain\test1 (a test group i made in another OU)
deny logon as service - domain\test1
deny logon through terminal services - domain\test1

but i can still log on to the machine the the "test" account. i've done countless restarts. am i missing something here, but i would have thought with all those settings configured, at least the test account wouldn't log in.

these computers are wireless, so they wasn't pulling down the computer configuration before the interactive logon bit. i had to physically connect it and now it works. bit of a pain, but ohwell.

if you know a way i can set it to pull down that part of the GP before the interactive log on, that would be very helpful, otherwise i will just have to leave it as it is. it still works as a want it to. just if i have to change anything on the computer config, i have to hardwire it to pull the update down

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…

Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…